4 7-10 internal local area networks that interconnect ECUs and other computerized devices

Acquisition of digital road mapping and condition data from sensors and the cloud

Artificial intelligence (AI) and machine learning (ML) capabilities

Transmission of vast volumes of data to and from the vehicle

These capabilities converge to trigger a quantum leap in automotive history: the development of the connected car.

Connected Vehicle Ecosystem

As connected cars have become virtual local area networks with numerous endpoints (every ECU can be considered an endpoint), they resemble traditional IT networks. Just like IT networks and endpoints, they are subject to cyberattacks. Manufacturers absolutely must implement powerful automotive cyber security mechanisms even more extensive than they would for an IT network. As we shall explain, approaches used in IT cyber security are pertinent to certain subsystems of the connected vehicle, but not to others where a vehicle-specific approach to connected car data and safety protection is required.

The connected vehicle ecosystem can be decomposed into five interlinked subsystems:

Safety critical subsystem (powertrain components) with direct impact on the safety of vehicle passengers and others

Sensors and V2V Communication provides major inputs to the safety critical subsystem

Operational and V2X Communication includes general and non-critical, safety subsystems and vehicle environment-control components

Business Processes include components related to data monetization as well as Telematics and Fleet Management System (FMS)

What is automotive cyber security

So what is automotive cyber security and what makes it different than IT security?

As we explained in our blog about IDS/IPS and automotive cyber security essentials, IT cyber security mechanisms are appropriate for the non-safety-related, open subsystems in the automotive ecosystem.

White-hat and black-hat hackers have already begun to implement a wide range of attacks against moving and stationary vehicles, sometimes to steal them or their cargoes or data and other times to upset their proper performance. Different types of attacks are directed against each of the five subsystems.

Cyberattacks against the User Experience (5) and Business Processes subsystems (4)

These attacks include installation of malware-infected apps via communication channels or by installation of rogue components that have bypassed supply chain procedures and that are malware-infected. In most cases, these types of cyberattacks are similar to those perpetrated against endpoints like smartphones, tablets and laptops—they use similar techniques and hacking tools.

Traditional IT cyber security approaches are relevant here.

Cyberattacks against the Operational and V2X subsystem(3). This subsystem includes:

Vehicle immobilizer

Body control

Remote Keyless Entry

Tire Pressure Monitoring

Vehicle Lights

V2X Gateway

Cyberattacks against the vehicle’s internal and external communication systems resemble network attacks in the IT environment. They are usually a preliminary stage for planting malware somewhere for a zero-day exploit. An example is a cyberattack against the wireless link used for electronic keys with vehicle or cargo theft as the goal.

Cyberattacks against the Safety Critical subsystem (1) and certain aspects of the Sensors and V2V Communication subsystem (2).

Here is where automotive cyber security diverges from the IT model and resembles the closed system found in other moving platforms like fighter jets. In all of the previous subsystems, traditional IPS and IDS technologies provide adequate safeguards and reporting. Losing use of the radio or suffering data leakage, while unpleasant or somewhat damaging, do not endanger the safety of passengers. However, the same cannot be said for some Sensors and V2V Communication and all Safety Critical functions. Here, we need perfect, deterministic cybersecurity in real-time. This is not delivered by IT cybersecurity systems.

Relevant sensors and gateways include:

V2V/VI gateway

RADAR sensor

LIDAR sensor

Camera(s) sensor

Ultrasound sensor

Safety Critical Subsystems include:

Brake, throttle, steering and ignition key

Airbags

Advanced Driver Assistant System computer and sensors

Anti-lock Braking System

Electronic Stability Program/Subsystem

In this case, we are ultimately concerned with the kinds of attacks that can endanger life and property and which explains the importance of automotive cyber security:

V2V/V2I gateway authentication, integrity and denial of service

Sensor validation and security, authentication and jamming of RF signals

Malware gaining control over a safety-critical ECU

Malware taking control over the communication to the ECU or component

Communication disruption (Denial of Service) over a critical segment of the CAN bus

Omission in the supply chain where an original component is replaced by a malware-infected part

Flaw in the software/firmware management where the original software/firmware component is replaced with a malware-infected counterpart

The components of the Safety Critical Subsystem play a crucial role in preserving the safety of the vehicle, its driver and passengers. In this case, implementation of the cyber security solution has to comply with very strict requirements as if our lives depend on it:

A deterministic and reliable mechanism that is verifiable and certifiable, and that can detect and prevent the cyber threat in real time (preferably in hardware). Software solutions that require post-event analysis by security experts or that are prone to false positives are inadequate.

Formally documented and certified “safe” for the vehicle driver and passengers for each hardware/software/firmware new version—including its embedded cyber security component.

Mandatory extension of OEM and Tier1 product-qualification procedures as well as production-verification and validation procedures to include the cybersecurity component so as to prevent rogue hardware and software/firmware components from creeping into the supply chain via the production line and at maintenance sites.

Download of new versions of software/firmware must be performed using encrypted object-code images signed with electronic signatures that can be verified against the data in the OEM depository. The download of object-code images with incorrect electronic signature must be blocked.

Deterministic Automotive Cyber Security for Safety

A deterministic approach to cyber security at the Safety Critical level is mandatory for passenger and vehicle safety. Here, we cannot rely on the post-event remediation methods of IT cyber security. False positives and false negatives are not an option!

GuardKnox’s deterministic cyber security methodology, Communication Lockdown™, delivers the requirements of the Safety Critical Subsystem of the connected car. Its fully deterministic, closed-system approach is not to look for attacks but to ensure that the vehicle continues to function in the way it was designed. There is no need for cloud connectivity nor for ongoing updates so no malware can sneak in and corrupt the safety requirements of the vehicle.